Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group Policy – What's New In Vista And Longhorn Server

Published byClaire Cross Modified over 11 years ago

Similar presentations

Presentation on theme: "Group Policy – What's New In Vista And Longhorn Server"— Presentation transcript:

1 Group Policy – What's New In Vista And Longhorn Server
Windows Vista TAP Airlift 3/25/ :33 PM Group Policy – What's New In Vista And Longhorn Server Sean Rooney Microsoft Consulting Services © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 State Of Group Policy Today Heavily used and with broad coverage…
Windows Vista TAP Airlift 3/25/ :33 PM State Of Group Policy Today Heavily used and with broad coverage… Of those that have deployed the Active Directory, Group Policy is Actively used by 90%+ of large organizations/ enterprises Actively used by 60%+ of mid-market customers Policy settings coverage at last major release 1,800+ registry-based policy settings Many more in security, IE and other extensions Customers want more Policy settings in the areas of security and desktop management © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Windows Vista TAP Airlift
3/25/ :33 PM GPO Infrastructure Policy Enforcement Active Directory Policy Targeting Policy Troubleshooting Policy Definition GPMC and GPEdit – GPO Management and Operations © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 GPO Infrastructure – Customer Pains
Windows Vista TAP Airlift 3/25/ :33 PM GPO Infrastructure – Customer Pains ADM File format and storage issues Sysvol bloat Policy Enforcement Ping Issues, VPN scenarios Kiosk Scenarios AD Policy Targeting Error Messages Complicated Diagnostic log (Userenv) Policy Troubleshooting Policy Definition Difficult to locate settings Lack of best practice knowledge What and Where is GPMC? Change Management, Auditing and Workflow GPMC and GPEdit – GPO Management and Operations © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Windows Vista TAP Airlift
3/25/ :33 PM Windows Vista Improvements In Group Policy More settings, applied more reliably, easier to use Category Key Features and Enhancements Extended Group Policy to cover new Windows Vista features Improved coverage in key areas like Security and Desktop management Extending the Coverage Reliable and Efficient Application of Policy More secure, stable infrastructure (Group Policy Service) Responsiveness to changing network conditions for GP processing Enhanced troubleshooting experience Multiple Local GPOs GPMC integration into the operating system Improved syntax and multilingual support for Admin Templates policy settings (ADMX files) A solution to “sysvol bloat” Searching, Filtering and Templates (SP1) Ease of Use © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Group Policy Client Service
Windows Vista TAP Airlift 3/25/ :33 PM Group Policy Client Service Reliability – A fundamental Vista goal Prior to Windows Vista, Group Policy processing was implemented within the Winlogon process Group Policy now runs in a shared service host on the client Service has been hardened A local administrator needs elevated privilege to stop the service Service restart configuration provides recovery from any unexpected failures Isolation of third-party Client Side Extensions Note: This is transparent to users © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Network Awareness Problems today
Windows Vista TAP Airlift 3/25/ :33 PM Network Awareness Problems today Policy application is not network sensitive VPN Scenario Laptop Hibernate/Standby recovery Slow Link detection failures ICMP turned off at routers Failures in high bandwidth high latency (Satellite connection) scenarios © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 Improved Network Awareness
Windows Vista TAP Airlift 3/25/ :33 PM Improved Network Awareness More Responsive to Network Changes No longer just 90 minutes or so If previous policy application cycle was skipped or failed then it retries whenever network connectivity (Ability to reach DC) is available Leverages NLA v2.0 (Network Location Awareness) Subscribe for DC availability notification Removal of dependence on ICMP (no more Ping!) Improved bandwidth determination (through NLA) Note: Network Quarantine scenario needs additional configuration © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 Local GPO Customer request
Windows Vista TAP Airlift 3/25/ :33 PM Local GPO Customer request Local GPOs are primarily used Non AD environments for non-domain joined, shared-use machines like Kiosks, Task stations Customer Request: Ability to set different configurations for different users using just Local GPO Common example is where local admins need a less locked down configuration than regular users Cannot accomplish this today since there is not concept of ‘Security Filtering’ on LGPOs © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Windows Vista TAP Airlift
3/25/ :33 PM Multiple Local GPOs Supports having different policy settings for different local users LGPOs for The machine (same LGPO as today) NEW: Local groups (Admin or Non-Admin) NEW: Individual local users Application Order is same as above Note: Any single user receives either the Admin or the Non-Admin LGPO (not both) Domain GPOs still have greater precedence than LGPOs (as today) New policy setting – ability to exclude all local GPO processing © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 Troubleshooting Group Policy Some challenges
Windows Vista TAP Airlift 3/25/ :33 PM Troubleshooting Group Policy Some challenges Cryptic Error messages No consistent diagnosis or resolution information Error help link broken Not Actionable Userenv.log Not many users aware of this option Not IT Admin friendly Each GP extension has a different format and location of its log No consolidated centralized reporting © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 Windows Vista GP Logging enhancements
Windows Vista TAP Airlift 3/25/ :33 PM Windows Vista GP Logging enhancements Leverages new ‘Crimson’ event management feature XML based event logs Supports application ‘channels’ Simple event consolidation using ‘Subscription’ Can associate actions to events (Send , execute script/WMI jobs) Two levels of logging Admin events Operational events © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Windows Vista TAP Airlift
3/25/ :33 PM GPMC Integration GPMC is the one-stop shop for managing Group Policy (has been our recommendation for almost 3 years) Why Integrate GPMC Into The Operating System? The perception is… “It’s just a little utility” “Great, but it’s not part of the Operating System” “What’s GPMC?” Will be available on client and server – no need to download/install No major feature updates; Just bug fixes and localization Some feature updates will be available in “Longhorn” Server (Vista SP1) © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 Windows Vista TAP Airlift
3/25/ :33 PM ADMX Files Some Challenges with ADM Files? No support for multi-lingual environments Sysvol bloat (4Mb+ per GPO – not a good thing!) A rather obscure and somewhat limited syntax ADMX Benefits Multi-lingual support built-in (Associated ADML files) Improved storage of files (Uses either local ADMX files or the “central store”) More extensible language (XML-based) © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 Windows Vista TAP Airlift
3/25/ :33 PM No Central Store %windir%\policydefinitions Printing.admx inetres.admx %windir%\policydefinitions \en-us Printing.adml inetres.adml Windows Vista Administrative Machine (English) %windir%\policydefinitions Printing.admx inetres.admx %windir%\policydefinitions \fr Printing.adml inetres.adml Windows Vista Administrative Machine (French) © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Using The Central Store
Windows Vista TAP Airlift 3/25/ :33 PM Using The Central Store Windows Vista Administrative Machine (English) <sysvol>\policies\policydefinitions Printing.admx inetres.admx .. \en-us Printing.adml inetres.adml \fr \ .. Windows Vista Administrative Machine (French) © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 Windows Vista Interop Scenarios (ADMX/ADM Co-Existence)
Windows Vista TAP Airlift 3/25/ :33 PM Windows Vista Interop Scenarios (ADMX/ADM Co-Existence) Windows Vista does not ship with any ADM files. ADMX files are superset of older ADM files Both ADMX and ADM files can co-exist. You can use “Add/Remove Templates” dialog for ADM files You can leverage this feature in existing Win2k3/Win2k environments. Just Admin workstations need to run Vista Note: No plan currently to ship ADM to ADMX conversion tool © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 Windows Vista TAP Airlift
3/25/ :33 PM ADM Templates – Usability Improvements Windows Vista SP1/“Longhorn” Server Comments Enable per GPO and per setting comments Search/Filter – locate settings based on Text search of setting title, explain text and comments Platform and applications “supported on” Managed (true GP policy setting) Configured (enabled or disabled) Results of search is a filtered GPedit view Templates Encapsulation of best practices/scenarios Will contain recommended Policy settings and values Microsoft will ship some initial scenario-based templates Anyone can create and share new custom templates Create new GPOs based on a template GPMC will provide ‘Template management’ support © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Prototype UI For Templates And Search And Filter Features
Windows Vista TAP Airlift 3/25/ :33 PM Prototype UI For Templates And Search And Filter Features Filter Options Dialog GPMC Template Integration © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 Windows Vista TAP Airlift
3/25/ :33 PM Migration/Upgrade Reliable/seamless migration for both types Same machine Upgrade (2000/XP to Vista) PC – PC Migration(2000/XP/Vista to Vista) Stand Alone Workstation Domain Joined Client or Server machine All Policy settings are retained and reapplied on first boot as if they just joined the domain Domain Joined Admin workstation Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARP GPMC preferences will be retained © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 Data Included In The Migration/Upgrade
Windows Vista TAP Airlift 3/25/ :33 PM Data Included In The Migration/Upgrade Local GPO Group Policy engine preference keys and values Registration info for any third-party extensions Potentially their settings will not Software Installation packages installed using GPOs Any registry (ADM* template) based Policy setting All Policy settings are retained and reapplied on first boot as if they just joined the domain All RSoP data will NOT be migrated and will be regenerated Domain Joined Admin workstation Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARP GPMC preferences will be retained © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 The Right Set Of Policy Settings
Windows Vista TAP Airlift 3/25/ :33 PM The Right Set Of Policy Settings 1,800+ policy settings today – and hundreds more in Windows Vista “Groundswell” of support across the Operating System Group Policy is a Windows ‘Manageability’ basic Policy Settings Greatly Expanded in a Number of Areas Some Examples… Removable Storage Devices IPSec/ Windows Firewall Power Management Printer Management Troubleshooting and Diagnostics Windows Defender Network Access Protection Internet Explorer Tablet PC Windows Error Reporting User Account Control (UAC) Wired and Wireless Policy Desktop Shell Globalization Remote Assistance © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Security Over privileged users
Windows Vista TAP Airlift 3/25/ :33 PM Security Over privileged users Most end users have higher privilege on their system than what is required Security is relaxed to run Line-of-Business Applications Problems Security Risks: Spyware, Virus can run in context of high privilege/administrator account Lost productivity and increased help desk costs Customers want “secure by default” behavior © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 User Account Control (UAC) Policy Settings
Windows Vista TAP Airlift 3/25/ :33 PM User Account Control (UAC) Policy Settings Only a per machine setting; Can be found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options UAC Settings Behavior of elevation prompt for administrators in Admin Approval Mode Behavior of elevation prompt for standard users Detect application installs and prompt for elevation Elevate executables only if signed and validated Run all administrators in Admin Approval Mode Switch to secure desktop when prompting for elevation © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 Windows Firewall And IPsec
Windows Vista TAP Airlift 3/25/ :33 PM Windows Firewall And IPsec Combines Windows Firewall and IPsec management into a single user experience Provide More Intelligent Firewall Specify allowed applications and ports Allow connections only if they are secured Allow connections only from a specified Active Directory group Enforce Isolation Scenarios Restrict network resource access to domain-joined computers Simplify Management Unifies management concepts into a single console Streamlines configuration of core scenarios © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Security Other new policy settings
Windows Vista TAP Airlift 3/25/ :33 PM Security Other new policy settings Windows Defender (Anti-Spyware) Enable/Disable real-time protection/scanning Manage signature download configuration Device Installation control Prevent driver installation for specific devices Wireless and Wired Service configuration Different Policy settings for Wired and Wireless 802.1x Network Access Protection Control Quarantine setting Enhanced Public Key Policy configuration More Policy settings for Certificates Enhanced Internet Explorer Security Configuration Support for IE7 security features © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Desktop Management Power management
Windows Vista TAP Airlift 3/25/ :33 PM Desktop Management Power management Group Policy control over Power Settings allow businesses to control energy costs Windows Vista includes extensive power management capabilities All power settings are per-user and per-machine Group Policy support for all in-box power settings Separate power plan for when no user is logged into the system Default settings enable energy-saving features on all PCs Sleep is the default “off” behavior for the system System sleep idle timeouts are enabled Display blanking timeouts are enabled Extensive Power Management Energy Savings by Default © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Windows Vista TAP Airlift
3/25/ :33 PM Desktop Management Printer Management Deploy Printers to machines or users Per Machine: Shared Use Computers Per User: Printers follow Users Roll out trusted printer drivers, prevent install of untrusted printer drivers Delegate Printer installation rights Internet Explorer Converting most settings away from Internet Explorer Maintenance (IEM) to registry-based Shell Team Classic Shell, Logon, Start Menu, and Control Panel Screen Saver: Define timeout, restrict to “built in” Secure Conscious: Force prompting, don’t save credentials Sync and Sharing: Item sharing, PC-PC, folder redirection © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Security Removable storage devices
Windows Vista TAP Airlift 3/25/ :33 PM Security Removable storage devices Significant security risk due to small removable storage devices USB storage devices MP3 players CD/DVD burners Risks Unwanted data in (Spyware, Virus) Confidential data out (sales data, product design, price quotes, etc.) Customers want granular control © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 Removable Storage Devices Policy Settings
Windows Vista TAP Airlift 3/25/ :33 PM Removable Storage Devices Policy Settings Computer- and User-based Policy to control Read and Write Access Removable Storage Device classes CD/DVD Tapes USB plug-in devices Windows Portable Devices (WPD) All other external removable storage devices Only Computer settings are applicable on Terminal Server NOTE: This feature work came in after the 5270 CTP build © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Removable Storage Access
Windows Vista TAP Airlift 3/25/ :33 PM Removable Storage Access © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Windows Vista TAP Airlift
3/25/ :33 PM Resources Group Policy on Microsoft.com Group Policy FAQ What's New in Group Policy in Windows Vista and Windows Server "Longhorn" Managing ADMX Files Step by Step Guide Group Policy Feature Suggestions, New Policy Setting Ideas, etc. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 Windows Vista TAP Airlift
3/25/ :33 PM © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Group Policy – What's New In Vista And Longhorn Server"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Management tools GPOE & GPMC Group Policy Preferences Group Policy Service GP shared service More stable and strengthened Service Group Policy Templates.

Management tools GPOE & GPMC Group Policy Preferences Group Policy Service GP shared service More stable and strengthened Service Group Policy Templates.
Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.

NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy

Managing User Settings with Group Policy
©2006 Microsoft Corporation. All rights reserved. CLI220 Windows Vista Client Manageability Presented by Mark Minasi Created by David Zipkin Product Manager.

©2006 Microsoft Corporation. All rights reserved. CLI220 Windows Vista Client Manageability Presented by Mark Minasi Created by David Zipkin Product Manager.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.

Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.

Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407.

Introduction to Active Directory December 10th, pm Daniels 407.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.

Similar presentations

Ads by Google